Configuring Walk-Away Security for Unattended Workstations

User Notifications

A notification can be displayed to let users know who is currently logged into Enterprise Access Management on a shared workstation.

BEST PRACTICE:

Set user notifications for scenarios in which many users authenticate to a workstation with proximity cards under common shared workstation policies.

When a user taps a proximity card at an idle workstation:

If the user is NOT the currently logged-in user, she will be authenticated, displacing the current user.
If the user IS the current user, she inadvertently logs herself out.

To display a notification:

Go the Walk-Away Security tab, and open Advanced settings.
Enable Display a notification of the current signed-in user after 60 seconds of inactivity.
If required, update the amount of time to wait before the notification is displayed.

Inactivity-Based Presence Detection

You can configure workstations to show a warning, and then lock automatically, when Enterprise Access Management fails to detect activity after a specified period of time. At the configured time, a countdown to locking the workstation starts.

A locked workstation displays the standard Windows login screen and requires re-authentication to unlock the desktop.

To set warning and locks times for inactive computers:

Open the Walk-Away Security tab.
Go to the Inactivity detection > Keyboard and mouse section.
Use Lock workstation after and Show activity warning to specify the required values.

You can also configure inactivity behavior for specific application profiles. If the user is logged off or the application is onscreen but idle, the warning screen or screen lock happen faster. These settings are located in Advanced settings > Application activity tracking.

To control the appearance of the warning screen, see Warning Behavior.

NOTE:

Chrome applications only support the User is logged off state for application-specific inactivity-based presence detection.

Proximity Card Tap Behavior

BEST PRACTICE:

This method is most useful for shared workstations.

The settings in the Advanced settings > Proximity card lock behavior section of the Walk-Away Security tab let you to customize settings for users who authenticate to this computer by proximity card.

Proximity cards require a number of settings, all of which are detailed in Authentication for Smart Cards with Microsoft Active Directory (AD) Certificates.

NOTE: You can program RF IDeas card readers to beep to acknowledge the user’s card tap. This option is available on the computer policy General tab.

Warning Behavior

The Lock and warning behavior > Warning behavior section of the Walk-Away Security tab lets you configure two types of warnings to notify the user that the workstation is going to lock when the countdown reaches 0:00.

Select the type of warning to use for this computer policy.

The inactivity times configured in Inactivity-Based Presence Detection are enforced.
(Optional) Click Customize the warning and lock display text to modify the default warning behavior.

Lock Screen Behavior

When a computer reaches the Lock workstation time set in Inactivity-Based Presence Detection, Enterprise Access Management can obscure the desktop, or you can select an application to remain visible on the desktop for monitoring purposes. These settings are configured in the Lock and warning behavior > Lock behavior section. Obscure the desktop is selected by default.

Under transparent screen lock conditions, the computer display continues to show the active application while the computer is locked. The authentication dialog opens when:

A user presses any key on the keyboard.
A user moves the mouse, if the Ignore mouse movement option is not selected.

Configuring Transparent Screen Lock

NOTE: EAM's transparent screen lock is not compatible with Windows endpoints configured with a Windows screensaver.

To configure the transparent screen lock:

In the Lock behavior section of the Walk-Away Security tab, select Desktop remains visible (transparent screen lock).
Click Customize the warning and lock display text. The Customization tab opens.
In the Walk-away security section, select whether the transparent screen lock indicator bar is displayed at the top or the bottom of the display.

The screen lock extends to both monitors of a dual monitor configuration.

During transparent screen lock, the computer display continues to show the selected application while the computer is locked. The authentication dialog opens when a user satisfies the Transparent Screen Lock Workflow. In case one of these conditions occurs by accident, you can set the dialog box to close and return to the transparent screen lock state after a pre-defined period.

Transparent Screen Lock Workflow

A desktop may be locked in a number of ways:
- EAM inactivity lock (configurable in user policy)
- User taps proximity card on proximity card reader (configurable in user policy)
- User presses the Imprivata Hot Key (configurable in user policy)
- User removes smart card from the reader (configurable in Windows policy)
- User selects Logout from the Imprivata agent menu
The desktop remains visible while in the lock state. It is not a snapshot of the desktop. Application updates and other desktop activity are visible to users.
EAM prompts the user to authenticate when user activity is detected:
- Typing on the keyboard
- Clicking a mouse button or moving the mouse (computer policy can be configured to ignore mouse movement)
- Tapping proximity card on the reader
When the Imprivata authentication dialog opens:

If the user does nothing, the authentication dialog is dismissed after a configurable period of inactivity from 5 seconds to 10 minutes.
The user can dismiss the dialog by pressing the Esc key or clicking Cancel.
Users can authenticate by whatever method is allowed in the user policy, subject to computer policy overrides.

If the user authentication is successful, the desktop is unlocked and the user gains access to the desktop.